Account Correlation - Multivalued Attribute

originalmths · April 25, 2025, 2:46pm

Hello guys,

Have you ever had a use case where it was necessary to use a multivalued field to perform an account correlation? If so, how did you do it?

To give more context, we have a source (Azure Active Directory) and within a Service Principal account there is an attribute called “tags”, it is a multivalued field. There is a value within this list of values that will be used to perform the correlation with the identity. I understand that the only option would be to create a Correlation Rule and perform the processing within the rule, correct?

phil_awlings · April 25, 2025, 3:09pm

How many times are you making Service Principal accounts?

Sounds more like a schedule task and manually correlate the AD account, to me

margocbain · April 25, 2025, 3:38pm

We have done this and had to use a cloud rule to accomplish. See an example below that you could use as a starting point.

import sailpoint.tools.Util;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

Map returnMap = new HashMap();

String orgEmail = null;
String email = account.getStringAttribute( "organizationVerifiedDomainEmails" );

String regex = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}";

Pattern pattern = Pattern.compile(regex);
Matcher matcher = pattern.matcher(email);

int count = 0;

while (matcher.find() && count < 30 ) {
     if (matcher.group().toLowerCase().contains("@test.com")) {
          orgEmail = matcher.group();
          break;
     } else {
          orgEmail = "[email protected]";
     }
     count ++;
}

returnMap.put( "identityAttributeName", "email");
returnMap.put( "identityAttributeValue", orgEmail );

return returnMap;

originalmths · May 12, 2025, 4:53pm

In my scenario, I can’t pass a mocked value like in your case (“@test.com”), I need to validate it with the value of an attribute of the identity.

In other words, the “tags” field that will come from the Azure account is a multivalued field. I need to pass each of the values within this field and validate it with an attribute of the identity. If it is the same, the account match between identity should be linked.

system · July 11, 2025, 4:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.